Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 755392 - <sys-apps/dbus-1.12.20: use after free if duplicate UIDs
Summary: <sys-apps/dbus-1.12.20: use after free if duplicate UIDs
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.freedesktop.org/archive...
Whiteboard: A4 [glsa+]
Keywords: CC-ARCHES, STABLEREQ
Depends on:
Blocks:
 
Reported: 2020-11-18 17:38 UTC by John Helmert III (ajak)
Modified: 2020-12-23 20:21 UTC (History)
1 user (show)

See Also:
Package list:
sys-apps/dbus-1.12.20
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-11-18 17:38:06 UTC
From the release notes:

• On Unix, avoid a use-after-free if two usernames have the same
  numeric uid. In older versions this could lead to a crash (denial of
  service) or other undefined behaviour, possibly including incorrect
  authorization decisions if <policy group=...> is used.
  Like Unix filesystems, D-Bus' model of identity cannot distinguish
  between users of different names with the same numeric uid, so this
  configuration is not advisable on systems where D-Bus will be used.
  Thanks to Daniel Onaca.
  (dbus#305, dbus!166; Simon McVittie)


This version has been in tree since July, so maybe time to stable?
Comment 1 Thomas Deutschmann gentoo-dev Security 2020-11-18 23:42:39 UTC
x86 stable
Comment 2 Sam James archtester gentoo-dev Security 2020-11-19 00:12:35 UTC
amd64 done
Comment 3 Sam James archtester gentoo-dev Security 2020-11-19 00:14:45 UTC
amd64 done
Comment 4 Rolf Eike Beer 2020-11-22 15:39:30 UTC
sparc stable
Comment 5 Sam James archtester gentoo-dev Security 2020-11-23 03:59:02 UTC
ppc64 done
Comment 6 Sam James archtester gentoo-dev Security 2020-11-23 04:34:23 UTC
arm64 done
Comment 7 Sam James archtester gentoo-dev Security 2020-11-23 04:34:49 UTC
arm done
Comment 8 Sam James archtester gentoo-dev Security 2020-11-23 04:37:17 UTC
ppc done
Comment 9 Rolf Eike Beer 2020-11-24 19:11:03 UTC
hppa stable
Comment 10 Sam James archtester gentoo-dev Security 2020-11-30 01:19:04 UTC
Please cleanup, thanks!
Comment 11 Thomas Deutschmann gentoo-dev Security 2020-12-23 00:55:45 UTC
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:21:45 UTC
This issue was resolved and addressed in
 GLSA 202012-17 at https://security.gentoo.org/glsa/202012-17
by GLSA coordinator Thomas Deutschmann (whissi).